Both Firewall client computers and SecureNAT client computers may also be Web Proxy clients. If the Web application on the computer is configured explicitly to use the ISA Server, all Web requests (HTTP, FTP, HTTPS, and Gopher) are sent directly to the Web Proxy service. All other requests are handled first by the Firewall service.

On This Page

ISA Server Clients and the Domain Name System

Domain Name System (DNS) name resolution is a primary consideration when choosing which ISA clients to utilize on the internal network. The following table outlines how DNS name resolution is performed by each ISA client.

ISA Server Client

Name Resolution Method

SecureNAT client

Dependent on the environment. Need to provide client with internal DNS server or configure ISA Server to pass DNS queries directly from the client to an external DNS server.

Web Proxy client

ISA Server Web Proxy service can provide simple DNS functionality. This is based on the DNS configuration on the ISA Server itself.

Firewall client

ISA Server Firewall service can provide simple DNS functionality. This is based on the DNS configuration on the ISA Server itself.

Firewall Clients

A Firewall client is a computer with Firewall Client software installed and enabled. The Firewall client runs Winsock applications that use the Firewall service of ISA Server. When a Firewall client uses a Winsock application to request an object from a computer, the client checks its copy of the local address table (LAT) to verify if the specified computer is in the LAT. If the computer is not in the LAT, the request is sent to the ISA Server Firewall service. The Firewall service handles the request, forwarding it to the appropriate destination, as permitted. The Firewall Client software can send Windows user information, which is required for authentication purposes, to the ISA Server computer.

ISA Server installs the following components on the client computer during client setup:

Mspclnt.ini, a shared client configuration file and the local domain table

Msplat.txt, a shared client local address table

The Firewall Client application

You can change the default settings for all of these components after installation. The new configuration settings take effect only when the client configuration is refreshed.

For more information, see "Firewall client components" in the ISA Server documentation.

Setting up a Firewall client does not configure individual Winsock applications. Instead, it uses the same Winsock dynamic link library (.dll) that the other applications use. The Firewall client then intercepts the application calls and determines whether to route the request to the ISA Server computer. For more information, see "Install Firewall Client software" in the ISA Server documentation.

SecureNAT Clients

Client computers that do not have Firewall Client software are secure network address translation (SecureNAT) clients. SecureNAT clients can benefit from many of the features of ISA Server. This includes most access control features, with the exception of high-level protocol support and user-level authentication.

Although SecureNAT clients do not require special software, it is recommended that you configure the default gateway so that all traffic destined to the Internet is sent by way of ISA Server, either directly or indirectly, through a router. You can configure clients either by using the DHCP service or manually.

Because requests from SecureNAT clients are essentially handled by the Firewall service, SecureNAT clients benefit from the following security features:

Application filters can modify the protocol stream to enable handling of complex protocols. In Windows 2000 NAT, this mechanism is accomplished through the use of NAT editors that are written as kernel-mode NAT editor drivers in Windows 2000.

The Firewall service can pass all Hypertext Transfer Protocol (HTTP) requests to the Web Proxy service, which handles caching and ensures that site and content rules are applied appropriately.

SecureNAT and Windows 2000 NAT

ISA Server extends the Windows 2000 network address translation (NAT) functionality by enforcing ISA Server policy for SecureNAT clients. In other words, all ISA Server rules can be applied to SecureNAT clients, despite the fact that Windows 2000 NAT does not have an inherent authentication mechanism. (Policies regarding protocol usage, destination, and content type are also applied to SecureNAT clients.)

SecureNAT clients and server publishing

As with Firewall clients, SecureNAT clients can also actually be servers, such as mail servers, which publish information to the Internet. You configure server publishing rules to publish servers as SecureNAT clients. Further, if you are using server publishing rules to publish a server, it is recommended that the server be a SecureNAT client, because the Firewall Client software can interfere with the publishing. Because the published server is a SecureNAT client, no special configuration of the published server is required after you create the server publishing rule on the ISA Server computer. Note that ISA Server must be configured as the default gateway on the published server. For more information, see "Configuring SecureNAT clients" in the ISA Server documentation.

SecureNAT clients are supported in Firewall or Integrated mode, not in cache mode. For more information about modes, see "ISA Server modes" in the ISA Server documentation.

Web Proxy Clients

A Web Proxy client is a client computer that has a Web browser application that complies with Hypertext Transfer Protocol (HTTP) 1.1 and that is configured to use the Web Proxy service of ISA Server. Each Web browser is configured through its own user interface.

When you install Firewall Client software, the Web browser settings on the Firewall Client desktop can be configured automatically. Subsequently, you can reconfigure the Web browser clients. You can use ISA Management to configure the following Web browser properties:

The ISA Server and port to which the client will connect

Automatic discovery settings

The computers that the Firewall client's Web browser will access directly

Backup route, if the ISA Server is unavailable

When the Firewall Client software is installed, the Web browser on the client computer is configured with those settings.

If the Firewall Client software is not installed, then the Web browser can be configured manually.

For more information, see the following topics in the ISA Server documentation: